Details

Description

I have been testing to securize James, have seen that there was the option to add to policies in the file environment.xml, but in version 2.3 and 3.0 it does not work, I suppose that it will have to do with the migration that became to Phoenix 4.2 from 4.0.1, seems simply that, ignores them quiet and it treats it like a AllPermission, stranger.

In James 2.2 if no policy is configured, phoenix.log says:[Phoenix.] (): No policy specified in server.xml, giving full permissions to ServerApplication.

In 2.3 / 3.0 no message show...

I haves used a policy Like this, and... never throws security exceptions...
<policy>
<grant code-base="file:$

The modified cvs-migration-snapshot code of Phoenix (I'm watching it the night of yesterday), seems to quite different from kickjava.com, this is the last version 4.2?, until now I am guiding by pages like this (and docjar.com, MacGyver style) (which to me becomes difficult to work)

Many thanks for the info!

Stefano Says:

Hi Guillermo,

I don't know/don't have time currently to look at what happened, but we could try fix things in Phoenix.

As you can read in the JAMES_PHOENIX.txt file in the root of our source tree we're currently using a modified build of

rem Make Phoenix run with security Manager enabled
set PHOENIX_SM="-Djava.security.manager"

:postSecure
—

Maybe this has nothing to do with your problem, but is the only information I can give to you.

I think that Loom is not an option to James because it is simply a branch of Phoenix and it also is no more developed.

In the future (far future) we could switch to plexus (the maven container, that is getting more interest and is supporting also avalon components) or to felix, but I think we should try to fix the security in phoenix if we find "where" to put our hands.

Guillermo Grandes
added a comment - 23/Sep/06 17:01 Well, my phoenix.sh is a little diferent... i don't have any goto but yes, i'm using security manager, my running command line is:
/usr/java/java15/bin/java
-Dprogram.name=JAMES1 -Xms128m -Xmx256m
-Djava.ext.dirs=/opt/james/lib:/opt/james/tools/lib
! -Djava.security.manager
! -Djava.security.policy=jar: file:/opt/james/bin/phoenix-loader.jar!/META-INF/java.policy
-Dphoenix.home=/opt/james
-Djava.io.tmpdir=/opt/james/temp
-jar /opt/james/bin/phoenix-loader.jar
The modified cvs-migration-snapshot code of Phoenix (I'm watching it the night of yesterday), seems to quite different from kickjava.com, this is the last version 4.2?, until now I am guiding by pages like this (and docjar.com, MacGyver style) (which to me becomes difficult to work)
Many thanks for the info!
Stefano Says:
Hi Guillermo,
I don't know/don't have time currently to look at what happened, but we could try fix things in Phoenix.
As you can read in the JAMES_PHOENIX.txt file in the root of our source tree we're currently using a modified build of
https://svn.apache.org/repos/asf/avalon/cvs-migration-snapshot/avalon-phoenix/
Have you set $PHOENIX_SECURE to true before starting phoenix? I see the following things in the run scripts:
—
if [ "$PHOENIX_SECURE" != "false" ] ; then
Make phoenix run with security manager enabled
JVM_OPTS="$JVM_OPTS -Djava.security.manager"
fi
—
if "%PHOENIX_SECURE%" == "false" goto postSecure
rem Make Phoenix run with security Manager enabled
set PHOENIX_SM="-Djava.security.manager"
:postSecure
—
Maybe this has nothing to do with your problem, but is the only information I can give to you.
I think that Loom is not an option to James because it is simply a branch of Phoenix and it also is no more developed.
In the future (far future) we could switch to plexus (the maven container, that is getting more interest and is supporting also avalon components) or to felix, but I think we should try to fix the security in phoenix if we find "where" to put our hands.
Stefano

Guillermo Grandes
added a comment - 23/Sep/06 17:01 This is mi workarround custom policy to "securize" the James.
Attatch it in case somebody wants to use it of point to begin with.
Place policy in "$PHOENIX_HOME/bin" and change phoenix.sh to use the new policy:
> -Djava.security.policy=jar: file:/opt/james/bin/phoenix-loader.jar!/META-INF/java.policy
+ > -Djava.security.policy= file:$PHOENIX_HOME/bin/james.policy \

Guillermo Grandes
added a comment - 23/Sep/06 21:13 I have been watching... for more info about this problem...
http://svn.apache.org/repos/asf/avalon/cvs-migration-snapshot/avalon-phoenix/src/java/
org/apache/avalon/phoenix/components/classloader/DefaultClassLoaderManager.java
org/apache/avalon/phoenix/components/classloader/SarPolicyResolver.java
I see references to:
org.realityforge.xmlpolicy.*
import org.realityforge.xmlpolicy.builder.PolicyBuilder;
import org.realityforge.xmlpolicy.metadata.PolicyMetaData;
import org.realityforge.xmlpolicy.reader.PolicyReader;
import org.realityforge.xmlpolicy.builder.PolicyResolver;
$PHOENIX_HOME/lib/spice-
{salt,xmlpolicy,loggerstore,classman}
-*.jar
In old version snapshoted by kickjava.com:
http://www.kickjava.com/src/org/apache/avalon/phoenix/components/classloader/DefaultClassLoaderManager.java.htm
can't see references to org.realityforge.xmlpolicy.*
Searching for source in google...
http://cvs.loom.codehaus.org/browse/~raw,r=1.6/loom/loom/support/xmlpolicy/src/java/org/realityforge/xmlpolicy/builder/PolicyBuilder.java
the ideas have finished to me.